[2] [http://livedocs.adobe.com/flex/3/html/help.html?content=security_1.html AIR Security with Flex] This section of the ''Developing Adobe® AIR™ Applications with HTML and Ajax'' manual covers security topics such as best practices for developers, AIR sandboxes and Flex security.

[3] [http://livedocs.adobe.com/air/1/devappshtml/security_1.html AIR Security with HTML] This section of the ''Developing Adobe® AIR™ Applications with HTML and Ajax'' manual covers security topics such as best practices for developers, AIR sandboxes, and HTML security.

+

[3] [http://livedocs.adobe.com/flex/3/html/help.html?content=security_1.html AIR Security with Flex] This section of the ''Developing Adobe® AIR™ Applications with HTML and Ajax'' manual covers security topics such as best practices for developers, AIR sandboxes and Flex security.

−

[4] [http://www.adobe.com/support/security/ Adobe Security Bulletins and Advisories] This is where Adobe posts all of their security advisories and bulletins.

+

[4] [http://livedocs.adobe.com/air/1/devappshtml/security_1.html AIR Security with HTML] This section of the ''Developing Adobe® AIR™ Applications with HTML and Ajax'' manual covers security topics such as best practices for developers, AIR sandboxes, and HTML security.

−

[5] [http://www.adobe.com/products/air/it_administrators/ AIR for IT Administrators] This is the Adobe documentation geared towards IT administrators who deploy AIR throughout their desktop environments.

+

[5] [http://www.adobe.com/support/security/ Adobe Security Bulletins and Advisories] This is where Adobe posts all of their security advisories and bulletins.

+

+

[6] [http://www.adobe.com/products/air/it_administrators/ AIR for IT Administrators] This is the Adobe documentation geared towards IT administrators who deploy AIR throughout their desktop environments.

Revision as of 16:26, 22 March 2010

Overview

OWASP's AIR Security Project is an open project for sharing a knowledge base in order to raise awareness around the subject of AIR application security.

What is AIR?
Adobe AIR is a platform for building desktop applications. Unlike other RIA technologies, AIR does not run within or extend the web browser. Since AIR is a platform that allows developers to create fully privileged desktop applications, AIR requires that all applications be digitally signed. AIR supports digitally signing the application with both self-signed certificates as well as those verified by a trusted CA. The install experience for installing the application is similar to the Microsoft experience for installing an executable. If the application is signed by a trusted CA, then the end-user will receive a dialog showing the author's information from the certificate. If the application is self-signed, the user will receiving a warning and no information from the certificate will be shown. AIR requires administrative privileges on the OS to install the application. Once the application is installed, the application will run with the privileges of the user who starts the application. Applications are registered with the OS so that the add/remove functionality of the OS can be used to install or uninstall the application.

AIR allows developer to create their applications through ActionScript, HTML, JavaScript or a combination of those technologies. AIR contains two security sandboxes for separating privilege within the application. The application sandbox is the fully privileged sandbox that provides the APIs for desktop interaction. Certain restrictions exist within this sandbox to drive developers towards secure programming practices. There is also a non-application sandbox for loading untrusted content from the web. Content loaded within the non-application sandbox will execute with traditional web browser sandbox permissions. Developers can choose to expose functionality from the application sandbox to the non-application sandbox through the use of a sandbox bridge. This must be done manually by the developer and the developer explicitly chooses the variables or functions that are exposed.

To install an application, AIR provides it's own download manager and install dialogues in order to provide a consistent cross-browser experience. The download and install of the application can be launched from a SWF badge that is hosted on the website. The SWF merely calls an API to tell the AIR runtime start the download process and provides the URL of the application to be downloaded. The end-user will be provided with an Open/Save dialogue. The Open button will lead the user to the certificate verification dialog and the following application install choices such as install location. AIR also allows the developer to choose to make their application available to be launched from the browser. By default, AIR applications can not be launched from the web browser. Typically, desktop applications would register a custom protocol with the browser to allow their application to be launched from the browser. These have lead to several security issues in the past. To solve this, AIR instead allows a SWF hosted on the website to launch the application. The SWF can call the AIR application and provide arguments within the call through a formally defined API.

Goals

The OWASP AIR Security Project aims is to produce guidelines, references and tools around AIR Application Security.

References

[3] AIR Security with Flex This section of the Developing Adobe® AIR™ Applications with HTML and Ajax manual covers security topics such as best practices for developers, AIR sandboxes and Flex security.

[4] AIR Security with HTML This section of the Developing Adobe® AIR™ Applications with HTML and Ajax manual covers security topics such as best practices for developers, AIR sandboxes, and HTML security.

Useful Specifications

AMF0 Specification The specification for the first generation of AMF (AMF 0) used by Flash Player.

RTMP Specification This is the specification for the Real Time Messaging Protocol used by SWF content

FLV/F4V Specification The FLV/F4V open specification documents the file formats for storing media content used to deliver streaming audio and video for playback in Adobe® Flash® Player and Adobe AIR™ software.